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Abstract 


1.1  Related  Work 


Approximate  reachability  techniques  trade  off  accuracy 
with  the  capacity  to  deal  with  bigger  designs.  Cho  et 
al  [3]  proposed  approximate  FSM  traversal  algorithms 
over  a  partition  of  the  set  of  state  bits.  In  this  paper 
we  generalize  it  by  allowing  projections  onto  a  collec¬ 
tion  of  nondisjoint  subsets  of  the  state  variables.  We 
establish  the  advantage  of  having  overlapping  projec¬ 
tions  and  present  a  new  multiple  constrain  function  for 
BDDs,  to  compute  efficiently  the  approximate  image 
during  symbolic  forward  propagation  using  overlapping 
projections.  We  demonstrate  the  effectiveness  of  this 
new  algorithm  by  applying  it  to  several  control  modules 
from  the  I/O  unit  in  the  Stanford  FLASH  Multiproces¬ 
sor.  We  also  present  our  results  on  the  larger  ISCAS  89 
benchmarks. 

1  Introduction 

Binary  Decision  Diagrams  (BDDs)  [1]  have  enabled  for¬ 
mal  verification  to  tackle  larger  hardware  designs  than 
before.  However  for  many  large  design  examples,  even 
the  most  sophisticated  BDD-based  verification  meth¬ 
ods  cannot  produce  exact  results  because  of  BDD-size 
blowup.  One  alternative  is  to  trade  accuracy  for  BDD 
size  requirements,  by  using  approximate  verification  al¬ 
gorithms. 

Computing  the  set  of  reachable  states  from  an  ini¬ 
tial  set  is  a  basic  component  of  many  verification  algo¬ 
rithms  and  has  other  applications  as  well.  An  overap¬ 
proximated  reachable  set  can  be  viewed  as  an  under¬ 
approximated  don^t  care  set,  which  has  applications  in 
the  synthesis  domain.  It  can  be  used  to  simplify  sym¬ 
bolic  model  checking  efforts,  by  preventing  the  model 
checking  algorithms  from  exploring  unreachable  states. 

*This  work  w£is  supported  by  DARPA  contracts  DABT63-94-C- 
0054  and  DABT63-96-C-0097.  The  content  of  this  paper  does  not 
necessarily  reflect  the  position  of  the  policy  of  the  Government  and 
no  official  endorsement  should  be  inferred. 
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Cho  et  al  [3]  proposed  approximate  algorithms  to  do 
symbolic  forward  propagation.  Their  basic  idea  was 
to  partition  the  set  of  state  bits  into  mutually  disjoint 
subsets,  and  then  do  a  symbolic  forward  propagation  on 
each  individual  subset.  The  individual  subsets  can  be 
viewed  as  submachines  which  have  in  some  ways  been 
torn  from  other  submachines.  The  original  problem  is 
thus  reduced  to  doing  the  exact  symbolic  forward  propa¬ 
gation  over  smaller  submachines.  This  induces  extra  de¬ 
grees  of  freedom  for  the  submachines,  and  hence  yields 
an  overapproximation  of  the  reachable  state  space. 

They  also  propose  different  variants  of  the  approxi¬ 
mated  symbolic  forward  propagation  algorithm:  MBM 
(Machine  By  Machine)  and  FBF  (Frame  By  Frame) 
which  basically  differ  in  the  way  they  model  the  interac¬ 
tion  among  the  various  submachines.  FBF  allows  inter¬ 
actions  among  the  submachines  at  each  time  frame  of 
a  least  fixed  point  routine,  and  hence  allows  for  tighter 
don’t  care  sequences  to  constrain  the  other  submachines. 
MBM  on  the  other  hand  allows  interaction  only  after  a 
complete  lecist  fixed  point  has  been  computed  for  a  sub¬ 
machine.  As  a  result  the  sequencing  information  is  lost 
when  trying  to  constrain  the  other  submachines.  They 
further  propose  two  variants  of  the  FBF  scheme,  RFBF 
(Reached  Frame  By  Frame)  and  TFBF  (To  Frame  By 
Frame),  which  again  differ  in  the  constraint  set  posed 
to  the  various  sub  machines  during  the  course  of  the 
least  fixed  point  routine.  Cho  et  al  [3,  4]  also  propose 
heuristics  on  how  to  partition  the  set  of  state  bits. 

1.2  Contribution 

In  this  paper,  we  improve  on  the  approximate  symbolic 
reachability  analysis  of  Cho  et  al  [3]  by  allowing  for 
overlapping  projections.  We  establish  the  need  for  over¬ 
lapping  projections,  and  propose  a  new  multiple  con¬ 
strain  function  for  BDDs,  which  allows  us  to  compute 
efficiently  the  image  of  an  implicit  conjunction  of  BDDs 
with  possibly  overlapping  support,  using  Boolean  func¬ 
tion  vectors.  We  apply  our  algorithm  on  a  real,  large 
design  and  show  its  relative  superiority  over  the  FBF  al¬ 
gorithms.  Of  course  our  scheme  cannot  be  less  accurate 
than  the  FBF  method,  since  overlapping  projections  in¬ 
clude  disjoint  partitions  as  a  special  case. 
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2  Background 

We  analyze  synchronous  hardware,  given  as  a  Mealy 
machine  M  =  (x, y, ^oj n),  where  x  =  {a:i, ...  ,Xk}  is  the 
set  of  state  variables,  and  y  is  the  set  of  input  signals. 
The  set  of  states  is  given  by  [x  B],  where  B  =  {0,1}. 
The  initial  state  qo  E  [x  B].  The  next  state  function 
is  n  :  [x  B]  X  [y  B]  [x  ->  B]. 

In  our  applications,  sets  can  be  viewed  as  predi¬ 
cates,  since  we  can  form  the  characteristic  function  cor¬ 
responding  to  a  set.  BDDs  can  be  used  to  represent 
predicates  and  manipulate  them  [2].  For  example,  let 
R{x)  be  a  predicate  with  support  in  ar,  we  can  compute 
the  image  of  R  under  n  as 

Im{R{x)yn{x,y))  =  Xx' .3x,y.{x'  =  n{x,y))  A  R{x). 

Im  produces  a  predicate  with  support  a;',  which  is  1 
iff  x'  is  in  the  image  of  R  under  n.  The  set  of  reach¬ 
able  states  in  M  can  be  computed  by  a  least  fixpoint 
iteration  [2] 

Reach{M)  ~  Ifp  R.\x.{qo{x)  V  Im{R{x),n[x,y))). 

2.1  Approximation  by  Projections 

Let  w  =  (u;i , . . . ,  Wp)  be  a  collection  of  not  necessarily 
disjoint  subsets  of  x.  Each  subset  will  be  referred  to  as 
a  block.  We  define  the  operator  aj{R)  which  projects 
a  predicate  R{x)  onto  the  variables  in  wj.  Intuitively, 
aj{R)  represents  a  set  of  Boolean  vectors  that  agree  for 
the  variables  in  wj  with  some  Boolean  vector  satisfying 
R.  Let  z  consist  of  all  of  the  Boolean  variables  in  x  that 
are  not  in  Wj,  then  we  can  define  aj  as 

aj(i^(x))  =  Xx.3z.R{x). 

From  the  explanation  above,  it  should  be  clear  that  the 
set  of  Boolean  vectors  satisfying  i?  is  a  subset  of  those 
satisfying  aj{R).  This  can  be  written  using  logical  im¬ 
plication  as  i?  — aj{R).  The  approximation  operator 
a  projects  a  predicate  R{x)  onto  the  various  wj^s  and 
returns  the  tuple, 

a(R{x))  =  (ai(i?), . . . ,  a!p(i?)). 

The  concretization  operator  7  conjoins  the  collection  of 
projections: 

p 

)  ^p)  ~  /\ 

Lemma  1  Given  a  collection  of  subsets  (u;i, . . . , lUp) 
and  a  predicate  R{x)f  R  j{a{R)). 

The  proof  for  this  lemma  is  simple  since  jR  ocj{R)  for 
all  j.  Thus  projecting  a  predicate  R  onto  a  collection 
of  subsets,  and  then  concretizing  the  projections  by  7 
results  in  an  over  approximation. 

Let  R  =  {Ri , . . . ,  Rp)  and  S  =  (Si , , . . ,  Sp)  be  two 
equally  sized  tuples.  We  define  the  join  operator  be¬ 
tween  R  and  S  as  follows: 

(Ri, . . .  ,i^p)  U  (Si, . . . , Sp)  =  (Ri  V  Si, . . . , V  Sp) 


Note  that  7(R)  U  7(8)  C  7(R  U  S).  Hence  the  join 
operator  is  an  approximation  of  set  union. 

The  operator  a  allows  us  to  represent  a  big  BDD 
with  support  in  or  by  a  tuple  of  potentially  smaller  BDDs 
with  limited  support,  at  the  cost  of  loss  of  accuracy.  In 
contrast,  7  can  potentially  result  in  a  bigger  BDD  with 
bigger  support,  hence  we  would  like  to  avoid  computing 
j{Ri, . . . ,  Rp)  explicitly.  We  therefore  need  to  compute 
the  image  of  an  implicit  conjunction  and  return  the  re¬ 
sult  as  an  implicit  conjunction  of  the  elements  of  a  tuple. 
Let  IrUap  return  the  projected  version  of  the  image  of 
an  implicit  conjunction  of  BDDs. 

/mop(R,n)  =  a{Im{'Y{'R),n{x,y))) 

Using  /map,  we  can  compute  an  overapproximation, 
Reachap{M),  of  the  reachable  states  for  a  machine  M 
as  follows: 

Reachap{M)  =  Ifp  R.(Q:(go)  Li  /map(R,  n)) 

Note  that  the  least  fixpoint  routine  above  starts  with 
R  =  (0, . . . ,  0),  and  finally  after  reaching  convergence, 
it  returns  a  tuple  R  to  Reachap{M). The  overapprox¬ 
imate  reachable  states  set  is  the  implicit  conjunction 
7(/^e(zc/iap  (-^1/) )  • 

Theorem  1  For  a  given  Mealy  machine  M, 

Reach{M)  7(i?eachop(M))  (1) 

The  proof  relies  on  the  observation  that  during  compu¬ 
tation  of  Reachap{M),  the  image  at  every  iteration  of 
the  least  fixpoint  routine  is  an  overapproximation.  The 
formal  proof  is  omitted. 

3  Overlapping  Projections 
3.1  Motivation  for  Overlaps 

Overlapping  projections  can  capture  limited  interac¬ 
tions  among  state  machines  while  keeping  the  sizes  of 
the  BDDs  under  control.  We  discuss  some  common 
scenarios  where  this  happens  in  this  subsection.  In  con¬ 
trast,  disjoint  partitions  can  only  capture  interactions 
among  a  set  of  state  machines  by  including  all  of  them 
in  a  single  projection,  which  often  leads  to  large  variable 
subsets,  that  cause  BDD  size  blowup. 

Often,  two  rather  big  state  machines  have  a  small 
interface,  which  can  be  captured  by  adding  extra  blocks 
to  our  collection  w,  that  merely  include  the  bits  through 
which  the  two  machines  communicate.  Design  modules 
usually  have  a  master  FSM  that  communicates  with  a 
number  of  other  slave  FSMs.  A  collection  of  overlapping 
subsets  allows  us  to  capture  the  master-slave  behavior 
by  having  blocks,  where  the  master  is  paired  with  each 
of  its  slaves  in  different  blocks.  We  can  further  capture 
the  correlation  between  various  FSMs  by  having  small 
blocks  with  pairs  of  FSMs  in  them. 

In  each  of  the  these  cases,  disjoint  partitions  require 
larger  sized  blocks  to  capture  the  same  property.  Thus 
overlapping  subsets  allow  us  to  hit  intermediate  points 
in  the  memory  space  vs  strength  of  invariant  tradeoff 
curve,  with  disjoint  partitions  on  one  extreme  and  exact 
reachability  on  the  other. 


3.2  Multiple  Constrained  Image 

The  key  step  in  symbolic  forward  propagation  algo¬ 
rithms  is  image  computation. 

Jmap(R,n)  =  =  a{Im{j{'R),n{x,y))) 

We  would  like  to  be  able  to  compute  the  Sj's  sepa¬ 
rately,  without  computing  /m(7(R),  n).  Clearly  Sj  can 
only  depend  on  the  next  state  functions  of  the  variables 
appearing  in  the  block,  wj  in  w.  In  our  imple¬ 
mentation,  n(x,  y)  is  represented  as  a  set  of  predicates 
{ni{x^y)  I  1  <  ^  <  A;},  where  each  predicate  determines 
the  value  of  a  bit  in  the  next  state.  Let  Q'j(n)  be  the 
subset  of  predicates  determining  the  next  state  for  the 
bits  in  Wj.  Clearly,  Sj  —  7m(7(R), aj(n)) 

To  avoid  unnecessary  BDD  blowup,  we  want  to  avoid 
the  explicit  conjunction  7(R)-  Sj  can  be  computed,  by 
forming  the  next  state  relation  for  block  Wj  and  using 
early  quantification  [2,  8].  However  this  did  not  work 
when  we  tried  it  on  our  larger  examples.  Instead  Coud- 
ert  and  Madre  [5,  8]  have  shown  how  to  compute  the  im¬ 
age  of  a  Boolean  function  vector,  using  the  generalized 
cofactor  (also  called  constrain)  operator  (i).  (/  4^  5)(2:) 
has  the  same  value  as  f{x)  when  g{x)  holds,  and  usually 
results  in  a  smaller  BDD  than  /.  Generalized  cofactor 
allows  us  to  cofactor  a  function,  /,  with  respect  to  an¬ 
other  function,  p,  and  reduces  to  ordinary  cofactor  when 
p  is  a  single  variable.  So  f  I  Xi  is  the  cofactor  of  /  when 

Xi  =  1. 

Coudert  and  Madre  [5]  show  that  /m(7(R),aj(n)) 
=  /m(l,aj(n)  4^  7(R)-  To  avoid  computing  the  large 
BDD  for  7(R),  it  is  tempting  to  compute  Q:j(n)  4^  Ri  4^ 
jR2  •  ♦  •  i  Rp‘  This  works  well  if  the  supports  of  RiS 
are  disjoint.  (McMillan  has  shown  [7]  that  if  p  and  h 
have  independent  support,  then  /  i  (p  A  h)  =  (/  I 
g)  I  h).  However  since  we  have  overlapping  subsets, 
the  naive  method  is  incorrect.  For  example,  consider 
/  =  wxy,g  =  w  and  h^wV  wxy.  /  i  (p  A  /i)  =  1,  and 
so  /m(p  A  /i,  /)  =  {!}.  However  {f  I  g)  =  wV  wxy, 
and  /m(l,(/  1.  g)  I  h)  =  {0,1}  (we  used  the  variable 
order  w  <  x  <  y  tor  this  example). 

Instead,  for  overlapping  projections,  we  propose  the 
following  method  of  multiple  constrain.  Let  {z\,. . .  ,Zp) 
be  dummy  state  bits  with  corresponding  next  state  func¬ 
tions  (Ri, . . .  ,Rp).  The  multiple  constrain  method  re¬ 
lies  on  the  following  key  observation 

ImijiRi,.  ..,Rp),  aj(n))  = 
/m(l,[aj(n),Ri,...,iip])  i  zi  \.Z2  .  • .  Zp  , 

In  words,  we  first  extend  the  Boolean  function  vec¬ 
tor  aj(n)  with  (Ri,...,Rp),  and  compute  the  range 
of  the  extended  vector  to  get  the  set  of  next  states. 
Every  point  in  the  range  of  [aj(n), Ri, . . . , Rp]  will  be 
“tagged”  with  the  dummy  variables  Zi,  which  keep  track 
of  which  of  the  R^’s  were  satisfied  in  the  present  state. 
The  required  image  is  the  part  of  the  range  where  all 
the  dummy  bits  (zi , . . . ,  Zp)  are  1,  where  all  the  Rj’s 
were  satisfied  by  the  present  state.  Selecting  the  co¬ 
factors  where  zi  =  Z2  ^  ^  Zp  =  \  finds  the  BDD 

for  the  relevant  part  of  the  range  while  eliminating  the 


dummy  Zi  variables.  In  our  example,  our  multiple  con¬ 
strain  would  compute  {f  i  h)  I  {g  I  h)  ^  1.  Hence 
we  get  /m(l,(/  i  /i)  i  (p  i  h))  =  {1}  which  matches 
/m(/,pA/i). 

We  can  optimize  on  the  usual  recursive  co-domain 
partitioning  algorithm  [5],  by  avoiding  computing  the 
parts  of  the  range  that  will  be  discarded.  Hence,  we 
start  with  [aj(n),Ri, . . . ,  Rp],  constrain  the  vector  of 
predicates,  [a^(n),Ri, . . .  ,Rp_i],  with  Rp,  then  con¬ 
strain  the  resulting  [aj(n),  Ri, . . . ,  Rp-2])  with  the  con¬ 
strained  Rp_i  and  so  on  till  we  constrain  the  resulting 
aj  (n)  with  the  final  Ri .  Thereafter  we  can  do  the  stan¬ 
dard  recursive  image  computation  given  by  Coudert  and 
Madre  [5]. 

function  IrrimcHRi,^  •  • ,  Rp)>  (’^ij  •  ^ ^m)) 

V  [ni,...,n  m  j  Rl  j  ■  •  ‘  >  Rp] 
for  j—p  down  to  i  by  7  do 

V  ^  V  4^  v[m  -h  j] 

endfor 

return  /m(l,  {^[1], . . .  ,u  H}) 

Our  least  fixpoint  routine  starts  with  R:  (0, ...  ,0)  and 
computes  the  tuple  Reach ap  as, 

Ifp  R.(q:(po)  LI  (/mmc(R,Ck:i(n)), . . . ,  ImmcC^,  Oip{n)) 

Our  algorithm  most  closely  resembles  the  RFBF  al¬ 
gorithm  proposed  by  Cho  et  al  [3],  but  differs  in  that 
we  allow  for  overlapping  projections  and  compute  the 
image  for  each  block  with  our  new  Immc  operator.  It 
is  also  straightforward  to  do  MBM,  TFBF,  TMBM  [3] 
traversals  using  overlapping  projections. 

3.3  Choice  of  Collection  of  Subsets 

Our  scheme  for  choosing  the  collection  of  subsets  is 
presently  manual.  First,  we  find  the  FSMs  by  inspect¬ 
ing  the  HDL  source  (we  had  access  to  the  RTL  descrip¬ 
tion  for  our  design  examples).  For  each  state  bit  Xi  we 
compute  a  score  by  counting  the  number  of  predicates 
nj{x,y)  it  supports.  To  each  machine,  a  score  is  as¬ 
signed  which  is  the  sum  of  the  scores  of  its  state  bits. 
The  two  machines  (Mi, M2)  with  the  highest  scores  are 
identified  as  master  FSMs.  If  the  state  bits  of  machines 
Mi  and  Mj  support  the  bits  of  the  master  machine  Mi 
in  their  next  state  predicates,  then  Mi  and  Mj  are  slaves 
of  Ml .  The  different  slave  machines  for  each  of  the  mas¬ 
ter  FSMs  are  identified.  We  then  form  blocks  by  pairing 
the  master  FSMs  with  their  slaves.  Thus,  in  this  case, 
we  would  add  the  blocks  (Mi, M*)  and  (Mi,  M^)  to  the 
collection  of  subsets. 

Often  some  FSMs  are  very  small.  The  corresponding 
small  blocks  can  then  be  aggregated  with  other  blocks 
without  running  into  intermediate  image  BDD  size  ex¬ 
plosion.  The  converse  problem  is  some  FSM,  Mi  may 
have  large  state  registers,  resulting  in  big  blocks.  If  so, 
we  try  to  prune  these  blocks  by  exploiting  the  small  in¬ 
terface  phenomenon,  described  in  Section  3.1,  We  also 
add  a  block  with  the  master  FSMs, to  capture  the  corre¬ 
lation  between  the  FSMs.  We  ensure  that  no  block  Wi 
in  the  collection  w  is  a  proper  subset  of  another  block 
Wj  €  w,  since  this  would  clearly  be  wasteful. 


4  FLASH  Design  Example 


IOMiscBubCX^I  Invariant  Strangth 


The  Stanford  FLASH  (Flexible  Architecture  for  SHared 
memory)  multiprocessor  [6]  efficiently  integrates  sup¬ 
port  for  cache  coherent  shared  memory  and  high  per¬ 
formance  message  passing.  Each  node  in  FLASH  con¬ 
tains  a  microprocessor  (MIPS  RIOOOO),  a  portion  of  the 
machine’s  global  memory,  a  port  to  the  interconnection 
network,  an  I/O  interface  and  a  custom  node  controller 
called  MAGIC  (Memory  And  General  Interface  Con¬ 
nect).  MAGIC  handles  all  communication  both  within 
the  node  and  among  nodes,  using  a  embedded  super¬ 
scalar,  dual  issue  RISC  processor  core.  We  focus  on  the 
control  logic  in  the  I/O  unit,  since  bugs  more  often  than 
not  reside  in  the  control  logic  rather  than  the  datapath. 
(The  MAGIC  chip  design  description  has  a  rather  clean 
division  between  the  control  and  datapath).  Table  1 
gives  a  brief  description  of  the  various  control  modules 
in  the  I/O  unit. 

Table  1:  Control  Modules  in  I/O  unit  in  FLASH 


Module 

State  Bits 

Input  Bits 

lOlnboxQCtl 

23 

8 

ReqDecode 

37 

27 

ReqService 

41 

58 

lOMiscBusCtl 

44 

18 

Pciinterface 

88 

55 

5  Experiments 

We  built  a  LISP  interface  to  David  Long’s  BDD  pack¬ 
age.  Our  approximate  algorithm  returns  a  superset  of 
the  reachable  states,  which  is  also  an  invariant  of  the 
design.  To  quantify  the  size  of  the  superset,  we  compute 
the  satisfying  fraction  of  the  the  superset.  (Please  refer 
to  the  appendix  for  the  algorithm  that  was  used  to  com¬ 
pute  an  upper  bound  on  the  satisfying  fraction).  Since 
projection  induces  an  over  approximation,  the  smaller 
the  satisfying  fraction,  the  stronger  the  invariant. 

We  preset  the  maximum  number  of  BDD  nodes  (BDD 
Node  Limit)  for  each  experiment.  Given  our  partition¬ 
ing  heuristics,  we  try  to  get  the  strongest  invariant  us¬ 
ing  overlapping  projections.  We  compare  our  results 
with  the  disjoint  partition  schemes.  The  same  variable 
ordering  was  used  for  both  the  schemes.  Node  Count 
keeps  track  of  the  highest  number  of  nodes  that  existed 
at  a  time  during  the  experiment.  The  Iter  column  lists 
the  number  of  iterations  needed  to  reach  the  fixpoint. 
The  last  column  under  the  heading  Relative  is  the  ratio 
between  the  satisfying  fraction  with  disjoint  partitions 
and  the  satisfying  fraction  with  overlapping  projections. 
Thus,  higher  the  figures  in  the  Relative  column,  the  str¬ 
onger  is  the  invariant  with  overlapping  projections. 
Table  2a:  lOInboxQCtl  Invariant  Strengths:  Note  that 
to  improve  upon  the  invariant  with  satisfying  fraction 
5.004883e-03,  in  the  case  of  disjoint  partitions,  the  BDD 
node  count  had  to  jump  from  28,254  to  76,630.  which 
is  a  2.71  times  increase  in  the  BDD  node  count.  The 
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Figure  1:  lOMiscBusCtl:  Projections  vs  Partitions 

last  entry  under  disjoint  partitions  was  computed  with 
all  the  state  variables  in  a  single  block,  which  clearly 
gives  the  strongest  possible  invariant.  Overlapping  pro¬ 
jections  produces  the  strongest  invariant  at  much  lower 
node  count. 

Table  2b:  ReqDecode  Invariant  Strengths:  For  node 
limits  of  1.0  million  and  1.5  million,  our  algorithm  with 
overlapping  projections  yields  stronger  invariants  (by  a 
factor  of  1.252  and  1.562  respectively).  Further,  for  the 
node  limit  of  1.0  million,  our  algorithm  with  overlapping 
projections  uses  lesser  number  of  BDD  nodes  compared 
to  the  FBF  runs  with  disjoint  partitions,  for  a  stronger 
invariant. 

Table  2c:  ReqService  Invariant  Strengths:  Here,  with 
disjoint  partitions,  the  node  count  penalty  goes  up  from 
407,728  to  11,007,330  (a  factor  of  27)  before  we  see 
any  improvement  in  the  strength  of  the  invariant.  The 
last  entry  under  disjoint  partitions  was  computed  with 
all  state  variables  in  a  single  block,  which  extracts  the 
strongest  invariant.  Note  that  the  same  invariant  is  ex¬ 
tracted  by  our  overlapping  projections  scheme  at  much 
lower  node  count  penalty  (1,995,304  nodes  vs  11,007,330 
nodes,  which  is  lower  by  a  factor  of  5.517). 

Table  2d:  lOMiscBusCtI  Invariant  Strengths:  Note 
that  with  node  limits  of  1.5  million  and  2.0  million, 
our  algorithm  with  overlapping  projections  yields  sig¬ 
nificantly  stronger  invariants  (by  a  factor  of  13.973  and 
71.329  respectively),  at  only  incremental  extra  cost  in 
terms  of  BDD  node  count.  In  Figure  1,  we  plot  the  sat¬ 
isfying  fraction  of  the  final  invariant  vs  the  peak  number 
of  BDD  nodes.  We  see  that  the  solid  curve  for  overlap¬ 
ping  projections  is  considerable  below  the  other  curve 
for  disjoint  partitions,  indicating  that  overlapping  pro¬ 
jections  give  stronger  invariants  with  lower  BDD  node 
counts  compared  to  disjoint  partitions. 

Table  2e:  Pciinterface  Invariant  Strengths:  The  final 
invariant  with  overlapping  partitions  is  much  stronger 
(factor  of  5.932)  than  that  obtained  with  disjoint  par¬ 
titions.  Note  that  even  as  the  node  limit  is  raised  from 
2  million  to  25  million,  there  is  no  improvement  in  the 
disjoint  partition  case. 


6  ISCAS  Benchmarks 

We  have  also  tried  our  algorithm  on  the  ISCAS  89 
benchmark  suite.  We  use  the  partitions  used  by  Cho 
et  al  [3]  to  identify  the  FSMs  in  the  design.  We  chose 
the  variable  subsets  by  adding  small  overlaps  to  some 
of  their  blocks.  We  are  unable  to  report  comparative 
figures  for  s35932  because  we  could  not  procure  the 
partitions  used  by  Cho  et  al  for  s35932.  In  the  case 
of  of  s5378,  our  version  of  s5378  had  179  flip  flops  as 
opposed  to  the  164  flip  flops  in  the  one  used  by  Cho  et 
al.  We  report  our  results  on  the  remaining  benchmarks. 
The  numbers  under  the  Disjoint  Partitions  column  cor¬ 
respond  to  the  results  we  got  by  running  TMBM  algo¬ 
rithm  [3]  (sl3207,  S15850,  s38584)  and  RFBF  algorithm 
(sl238,  sl423)  on  the  partitions  used  by  Cho  et  al  [3] 
Table  3:  ISCAS-89  Invariant  Strengths:  Note  that  we 
report  orders  of  magnitude  improvement  in  the  strength 
of  the  invariant  for  sl3207  and  s38584.  The  numbers  in 
Table  3  under  overlapping  projections  are  upper  bound 
estimates  of  the  satisfying  fraction  of  the  final  invari¬ 
ant.  Thus,  the  invariant  with  overlapping  projections 
is  stronger,  at  least  by  a  factor  equal  to  the  figures  un¬ 
der  the  Relative  column.  (TMBM  algorithm  starts  off 
as  TFBF  and  switches  to  MBM  after  a  few  iterations. 
Since  we  are  using  TMBM  algorithm  for  some  circuits, 
the  Iter  column  in  Table  3,  lists  the  number  of  itera¬ 
tions  of  doing  TFBF  -h  the  number  of  iterations  in  the 
outer  greatest  fixpoint  of  MBM). 

7  Conclusions 

In  this  paper  we  have  proposed  a  new  approximation 
scheme  that  enables  us  to  do  symbolic  forward  reach¬ 
ability  analysis  over  an  overlapping  projection  of  the 
set  of  state  bits.  The  approximation  scheme  results  in 
tighter  overapproximations  compared  to  earlier  schemes 
based  on  disjoint  partitions.  Our  experiments  show  that 
a  small  amount  of  appropriately  chosen  overlaps  in  a 
given  projection  can  substantially  improve  the  quality 
of  the  overapproximation.  Overlapping  projections  al¬ 
low  us  to  hit  intermediate  points  in  the  memory  space  vs 
strength  of  invariant  tradeoff  curve,  with  disjoint  par¬ 
titions  on  one  extreme  and  exact  reachability  on  the 
other. 

We  have  also  proposed  a  new  multiple  constrain  func¬ 
tion  for  BDDs,  that  enables  us  to  compute  efficiently  the 
image  of  an  implicit  conjunction  of  BDDs  with  possibly 
overlapping  support,  using  Boolean  function  vectors. 

We  further  need  to  look  at  automatic  methods  for 
choosing  the  collection  of  subsets,  from  gate  level  de¬ 
scriptions. 

8  Acknowledgments 

We  thank  David  Long  for  his  quick  responses  for  BDD 
package  support.  We  thank  Enrico  Macii  for  sending 
us  the  partitions  that  were  used  by  Cho  et  al  in  their 
paper  [3].  We  further  thank  Jules  Bergmann  for  helping 
us  use  his  tool,  veXy  as  a  front  end  Verilog  parser  for  the 
FLASH  benchmarks. 


9  Appendix 

9.1  Approximating  Sat-Fr  of  Superset 

Given  S  :  (5i, . . . ,  5p),  corresponding  to  the  collection 
w  :  {wiy . , .  yWp)y  wc  Want  an  upper  bound  on  sat-fr 
of  7(S).  If  elements  of  S  have  mutually  disjoint  sup¬ 
port,  we  could  compute  5at_yr exactly  as  X]^i^iSat-fr{Si). 
However  here,  SiS  may  have  overlapping  support.  Our 
greedy  algorithm  computes  sat-fr  of  a  superset  of  7(8), 
by  using  the  fact,  3x.(a  A  6)  C  (3a;. a)  A  (3a;. 6). 

A  set  Z  is  used  to  keep  track  of  which  variables  to 
hide  existentially  before  computing  sat^fr  of  each  block. 
At  every  step  the  BDD  5m,  with  the  lowest  sat.fr  (after 
hiding  existentially  variables  in  Z  from  5m),  is  picked. 
Its  sat.fr  is  cumulatively  multiplied  to  /,  and  variables 
in  Wm  are  added  to  set  Z. 

Zf-0;  f^l.O 

for  j=l  up  to  p  by  i  do 

find  m,  s.t.  'ii.{sat.fr{3Z.Sm)  <  sat.fr{3Z.Si)) 
f  <r~  f  X  sat.fr{3Z.Sm) 

Z  i —  Z  U  Wfji 
endfor 
return  / 

An  alternative  approach,  Monte  Carlo  simulation,  ap¬ 
pears  to  be  ineffective  because  of  the  extreme  sparseness 
of  the  state  space  covered  by  7(8). 
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Table  2:  FLASH  Design  Example  Results 


Node  Limit 

Disjoint  Partitions 

Overlapping  Projections 

Relative 

Sat.  Fr. 

Iter 

Node  Count 

Sat.  Pr. 

Iter 

Node  Count 

30000 

5.004883e-03 

20 

28254 

5.004883e-03 

20 

28254 

■BH 

60000 

ff 

4.943967e-03 

20 

53740 

msm 

70000 

ff 

3.967404e-03 

20 

64462 

Wm 

80000 

3.967404e-03 

20 

76630 

3.967404e-03 

20 

64462 

■■1 

Node  Limit 

Disjoint  Partitions 

Overlapping  Projections 

Relative 

Sat.  Pr. 

Iter 

Node  Count 

Sat.  Ft. 

Iter 

Node  Count 

50000 

2.184883e-05 

20 

33408 

2.184883e-05 

20 

33408 

1.000 

200000 

2.107944e-05 

20 

134536 

1.979293e-05 

20 

171448 

1.065  ■ 

1000000 

1.274049e-05 

33 

980968 

1.017604e-05 

20 

608726 

1.252 

1500000 

j) 

5J 

55 

8.156174e-06 

20 

1195109 

mSm 

2500000 

3.168825e-06 

25 

2032890 

3.168825e-06 

25 

2032890 

■■■ 

Node  Limit 

Disjoint  Partitions 

Overlapping  Projections 

Relative 

Sat.  Fr. 

Iter 

Node  Count 

Sat.  Fr. 

Iter 

Node  Count 

50000 

1.658440e-02 

34 

23662 

1.658440e-02 

34 

23662 

1.000 

500000 

1.351655e-03 

44 

407728 

1.053363e-03 

37 

470642 

1.283 

750000 

?> 

V 

55 

1.039535e-03 

40 

537578 

1800000 

JJ 

If 

55 

1.039460e-03 

40 

1776965 

2000000 

» 

ff 

55 

1.036219e-03 

44 

1995305 

12000000 

1.036219e-03 

44 

11007330 

55 

55 

55 

Disjoint  Partitions 

Relative 

Sat.  FV. 

Iter 

Node  Count 

1000000 

4.210770e-04 

4 

104135 

4.210770e-04 

4 

1.000 

1500000 

3.810450e-04 

4 

1173863 

2.726912e-05 

4 

1244294 

13.973 

2000000 

55 

5.342066e-06 

4 

71,329 

3000000 

5.342066e-06 

4 

2556733 

” 

55 

55 

1.000 

Node  Limit 

Disjoint  Partitions 

Relative 

Sat.  Fr. 

mm 

50 

30.593 

55 

598257 

55 

598257 

1.000 

71 

71 

1.499 

55 

71 

5.932 

Table  3:  IS  CAS  89  Benchmark  Results 


Hm 

Relative 

Sat.  Pr. 

Sat.  Fr, 

Iter 

sl238 

7.036972e-02 

3 

6.320953e-03 

4 

73849 

11.133 

310461 

2.193374e-03 

248 

1032286 

1.361 

3.421447e-106 

10+6 

161447 

1.136200e-115 

10+5 

198779 

3.3208e+08 

S15850 

5.840135e-102 

10+5 

271093 

3.9379406-102 

10+4 

336048 

1.483 

S38584 

6.494194e-41 

10+2 

646258 

5.764063e-57 

10+5 

1853461 

8.876e+15 

